All administrators must belong to an admin group. The permissions and properties that you set for a group apply to all administrators assigned to that group. You can assign a dashboard template to an admin group. A dashboard template specifies the tasks an admin group can access through the Tasks Dashboard tab when they log in to Grid Manager. For information about dashboard templates, see Configuring Dashboard Templates. You can also restrict certain user groups to manage specific tasks in the Tasks Dashboard tab only. These users cannot manage other core network services through Grid Manager. For information about how to apply this restriction, see the Creating Limited-Access Admin Groups section.
To define admins who can perform specific core network service tasks, you can set up admin groups and assign them permissions for those tasks. To control when and whether certain tasks should be performed, you can add an admin group to an approval workflow and define the admins as submitters or approvers. A submitter is an admin whose tasks require approvals before execution, and an approver is an admin who can approve the submitted tasks. When you add submitter and approver groups to an approval workflow, you have control over who can perform which mission critical tasks and whether and when the tasks should be executed. For more information about how to create and configure approval workflows, see see Configuring Approval Workflows.
There are three types of admin groups:
...
All limited-access admin groups require either read-only or read/write permission to access certain resources, such as Grid members, and DNS and DHCP resources, to perform certain tasks. Therefore, when you create an admin group, you must specify which resources the group is authorized to access and their level of access.
Only superusers can create admin groups and define their administrative permissions. There are two ways to define the permissions of an admin group. You can create an admin group and assign permissions directly to the group, or you can create roles that contain permissions and assign the roles to an admin group.
You must create admin groups and assign them access to the cloud API and applicable permissions so they have authority over delegated objects. When you assign permissions for objects that have not been delegated, these admin groups or admin users assume applicable permissions to these un-delegated objects. For example, you can create an admin group that can access a specific set of networks while another can access another set of networks. Note that you cannot create a new admin group using the same name. For information about Cloud Network Automation, see see Deploying Cloud Network Automation.
Complete the following tasks to assign permissions directly to an admin group:
- Create an admin group, as described in the Creating Limited-Access Admin Groups section.
- Assign permissions to the admin group, as described in About Administrative Permissions.
- Complete these tasks to assign admin roles to an admin group:
- Create an admin role, as described
- in About Admin Roles.
- Define permissions for the newly created admin role, as described in Creating Admin Roles.
- Create an admin group and assign the role to the group, as described
- in the Creating Limited-Access Admin Groups section.
After you have created admin groups and defined their administrative permissions, you can assign administrators to the group.
- For local admins, see see Creating Local Admins.
- For remote admins, see see About Remote Admins.
Creating Superuser Admin Groups
Superusers have unlimited access to the NIOS appliance. They can perform all operations that the appliance supports. There are some operations, such as creating admin groups and roles, that only superusers can perform.
Note that there must always be one superuser admin account, called "admin", stored in the local database to ensure that at least one administrator can log in to the appliance in case the NIOS appliance loses connectivity to the remote admin databases such as RADIUS servers, AD domain controllers, TACACS+ servers, LDAP servers, or OCSP responders.
NIOS comes with a default superuser admin group (admin-group). It also automatically creates a new admin group, fireeye-group, when you add the first FireEye RPZ (Response Policy Zone). Infoblox recommends that you do not add another admin group with the same name as the default or FireEye admin group. Note that the FireEye admin group is read-only and you cannot assign permissions to it. For more information about FireEye RPZs, see see About FireEye Integrated RPZs.
When you install valid licenses and configure your Grid for Cloud Network Automation, NIOS enables the cloud-api-only admin group. You can assign admin users to this group so they are authorized to send cloud API requests to the Cloud Platform Appliances. Note that you cannot delete this admin group or create a new admin group using the same name. For information about Cloud Network Automation, see see Deploying Cloud Network Automation.
You can create additional superuser admin groups, as follows:
...
| Note | ||
|---|---|---|
| ||
When you assign cloud API access to an admin group, the group assumes full authority over all delegated objects. You must however specifically assign object permissions to the admin group for the group to gain authority over non-delegated objects. For information about how to assign object permissions, see Defining Object PermissionsDefining Object Permissions. |
4. Click Next and complete the following to define the dashboard template:
- Dashboard Template: From the drop-down list, select the dashboard template you want to assign to this superuser group. When you apply a dashboard template to an admin group, the template applies to all users in the group. The default is None, which means that users in this group can access all licensed tasks in the Tasks Dashboard tab if they have the correct permissions to the task-related objects. Note that if you want to delete a template, you must first unassign the template from an admin group, or select None, before you can delete it. For more information about dashboard templates, see see About Dashboards.
5. Click Next to add admin email addresses if you want the appliance to send approval workflow notifications to a list of email addresses for the admin group. Complete the following in the Email Address table:
Click the Add icon and Grid Manager adds a row to the table. Enter the email address of the admin who should receive workflow notifications. You can click the Add icon again to add more email addresses. You can also select an email address and click the Delete icon to delete it. To modify an email address, click the Email Address column and modify the existing address.
| Note | ||
|---|---|---|
| ||
When you configure an approval workflow and select Group Email Address(es) as the approver notification addresses, the appliance sends workflow notifications to all email addresses you have added to this table. For information, see Configuring Approval Workflows Configuring Approval Workflows. |
6. Optionally, click Next to add extensible attributes to the admin group. For information, see About see Managing Extensible Attributes.
7. Save the configuration and click Restart if it appears at the top of the screen. You can do one of the following after you create a superuser admin group:
- Add local admins to the superuser group. For information, see see Creating Local Admins.
- Assign the superuser group to remote admins. For information, see see About Remote Admins.
Creating Limited-Access Admin Groups
...
| Note | ||
|---|---|---|
| ||
|
...
- DashboardTemplate: From the drop-down list, select the dashboard template you want to assign to this superuser group. When you assign a dashboard template to an admin group, the template applies to all users in the group. The default is None, which means that users in this group can perform all licensed tasks in the TasksDashboard tab if they have the correct permissions to the task-related objects. Note that if you want to delete a template, you must first unassign the template from an admin group, or select None, before you can delete it. For more information about dashboard templates, see About Dashboards.
- Display Task flow Dashboards Only: Select this checkbox if you want to restrict this admin group to access only the Tasks Dashboard in Grid Manager. Note that when you select this checkbox, users in this admin group have access to the tasks you specified in the selected dashboard template, if applicable. They cannot perform any other tasks or manage any core network services in Grid Manager the next time they log in to the system.
...
| Note | ||
|---|---|---|
| ||
When you configure an approval workflow and select Group Email Address(es) as the approver notification addresses, the appliance sends workflow notifications to all email addresses you have added to this table. For information, see Creating Approval WorkflowsCreating Approval Workflows. |
6. Optionally, click Next to add or delete extensible attributes for this admin group. For information, see About see Managing Extensible Attributes.
7. Save the configuration and click Restart if it appears at the top of the screen.